There was a time when people bought most of the software on their computer, but this is, of course, now ancient history. Some software you still buy, but much of today’s most-used software is free. No one buys browsers or search engines or social media apps. You get them at no cost in exchange for a few easily-ignored ads and an agreement the software company can use your data to improve its products and target those ads.

This model seemed harmless enough in the beginning. But over the years it’s morphed into a massive information-gathering machine fueled by the personal data of its users. Misaligned incentives mean companies and media sites aim to maximize user attention and maintain ad revenues at any cost. Now, mega-hacks, election scandals, and fears of mass social manipulation have some deeply questioning the model – and Europe will be first to act.

When Europe’s General Data Protection Regulation (GDPR) becomes law on May 25, it will transform social media and search in the EU’s 28 countries and likely beyond. Europe’s sweeping set of regulations, to protect privacy and impose content rules, have been years in the making, but are eerily timely, given recent scandals involving Cambridge Analytica and Facebook. Europe is proposing a complicated template, but don’t mistake it for an attack on technology. Rather, the regulation is aimed at business models based on surveillance, data harvesting, and selling information to the highest bidder with few questions asked.

The European laws shift control of data to customers. New rules require companies to obtain informed consent from users as to how data will be repurposed or sold and give the right to opt out of consent immediately; the right to be forgotten (or expunged from the internet); the right to transfer data to another organization; and the right to transparency regarding use of their data and by whom. In addition, there is a patchwork quilt of European laws that impose huge fines if a company’s stored personal data is hacked or for publishing fake news, hoaxes, hate, and libel.

This massive reform represents a clash of cultures: America’s Wild West, no-holds-barred regulatory climate when it comes to privacy and freedom of expression versus Europe’s sensitivity to privacy and content breaches perpetrated by Big Brother and Stasi-style governments before and since the Cold War. Polling reflects this difference – most Europeans are concerned about privacy while only a minority of Americans are.

The roll-out challenges the freemium business model in search and social media as well as for Internet of Things development, if subsidized by the harvesting and monetization of personal data. Proponents of the status quo argue that the gathering of massive amounts of data is needed to research and develop products and services in future. But critics such as computer scientist Jaron Lanier believe otherwise.

“In the beginning it [free services] was cute,” he said at the recent TED conference. But as computers have become more efficient and algorithms better, Lanier said, it can no longer be called advertising anymore but has turned into behavior modification. Referred to as a “father of virtual reality,” Lanier suggested that Google and Facebook should switch to a subscription model in return for a no ads option. “These companies need to change,” he said.

Spokesmen argue that people don’t want to pay for services and would rather let advertisers finance the platforms. But if Europe’s new regime of privacy protection meets with public acceptance, companies will be pressured to extend these rules to the United States, Canada, and elsewhere. Regulators in Washington and Ottawa are watching reactions and effects of GDPR, but several states, notably California, have jumped the gun and already proposed similar legislation to protect privacy.

Changes have begun in advance of May 25. New privacy rules have filled inboxes from online corporations. Google promises that people around the world can choose what data they want to share from Gmail and Google Docs. Amazon has improved the data encryption on its cloud storage service and simplified an agreement with customers over how it processes their information. Facebook rolled out a feature that allows users to organize who sees their posts and what types of ads they are served.

Europe’s laws will balkanize global giants Facebook, Google, Twitter, Amazon, and YouTube, but this is nothing new. In emerging markets, where there are oppressive regimes, some have adapted their platforms to conform with censorship requirements, data sharing, and other collaborative arrangements with governments.

Some new European measures are onerous, notably content curation and the “right to be forgotten” rule. For instance, Google has 90% market share of search across Europe, and by February, some 650,000 Europeans had already asked Google to delist data. Court decisions have outlined the criteria for Google, but the company must enforce the edict: Unless information is in the public interest, it can and should be removed.

Obviously, there will be costs. Under a worst-case scenario by Wall Street giant Goldman Sachs, Google’s advertising revenue could fall 2 percent and Facebook’s as much as 7 percent due to GDPR. As similar rights are offered to Americans, Canadians, and others, these revenue declines will increase. This is why, in part, Facebook recently moved part of its operations out of Ireland to California as a GDPR avoidance measure, leaving Americans, Canadians, and others with the status quo in terms of control over their data. This move infuriated European officials.

Giovanni Buttarelli, supervisor of the European Data Protection Authority, invoked the Facebook and Cambridge Analytica scandals and warned against “attempts to game the system.” He called data-hungry online platforms “digital sweat factories” that “[farm] people for their attention, ideas, and data in exchange for so called ‘free’ services. The old approach is broken and unsustainable.” Feelings run high and Brussels is not finished. The European Union threatened further restraints unless companies prevent fake news and Cambridge Analytica-style manipulation of personal data before the next European elections in 2019.

Meanwhile, the US mid-terms loom this fall and the system must rely on self-regulation to insure an unfettered election. The rise in political attention on Facebook’s Mark Zuckerberg has led him to signal an openness to regulation following the 2016 US election and Cambridge Analytica fiascos. Clearly, big tech tripped up and was exploited. Hopefully, technological advances and improved business models will continue to innovate and improve lives and economies. But the hands-off business model, and treatment of users as products, is clearly not sustainable going forward.